InsFuzz: Fuzzing Binaries With Location Sensitivity

Fuzzing is a popular technique which is widely used to find the software bugs. However, fuzzing remains limited in finding bugs lying in deep paths since it has difficulty in bypassing the complex checks of the target program. In this paper, we propose a location sensitive fuzzing approach, named InsFuzz, that leverages the light-weight program analysis technique. We use the static analysis and binary instrumentation to infer the bytes that could influence comparison instructions, which we called key bytes, and, then, to infer the relationship between the key bytes and the comparison instructions during execution. This enables a fuzzer to know which bytes are worth mutating and how these bytes should be mutated. In addition, we collect the comparison progress information (i.e., we record the number of matching bytes between the two operands of an instruction) during execution and preserve the mutated inputs with higher comparison progress. Therefore, the fuzzer can break the comparison instructions efficiently. We first evaluated the InsFuzz on the LAVA-M dataset against other fuzzers, including AFL-Dyninst, and then compared InsFuzz with AFL-Dyninst on five real-world programs. The results show that InsFuzz found more bugs than the fuzzers that we compared with on the LAVA-M dataset. In addition, InsFuzz found some new bugs that the author of LAVA-M did not list. On the real-world programs, InsFuzz triggered more unique crashes and covered more code compared with the AFL-Dyninst.

[1]  Guodong Li,et al.  KLOVER: A Symbolic Execution and Automatic Test Generation Tool for C++ Programs , 2011, CAV.

[2]  David A. Wagner,et al.  Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs , 2009, USENIX Security Symposium.

[3]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[4]  Yang Liu,et al.  Skyfire: Data-Driven Seed Generation for Fuzzing , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[5]  William K. Robertson,et al.  LAVA: Large-Scale Automated Vulnerability Addition , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[6]  George Candea,et al.  The S2E Platform: Design, Implementation, and Applications , 2012, TOCS.

[7]  Roland Groz,et al.  A Taint Based Approach for Smart Fuzzing , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[8]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[9]  David Brumley,et al.  Program-Adaptive Mutational Fuzzing , 2015, 2015 IEEE Symposium on Security and Privacy.

[10]  Abhik Roychoudhury,et al.  Model-based whitebox fuzzing for program binaries , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[11]  David Brumley,et al.  Scheduling black-box mutational fuzzing , 2013, CCS.

[12]  Peter Müller,et al.  Guiding Dynamic Symbolic Execution toward Unverified Program Executions , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[13]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[14]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[15]  David Brumley,et al.  Optimizing Seed Selection for Fuzzing , 2014, USENIX Security Symposium.

[16]  Koushik Sen,et al.  FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[17]  Rishabh Singh,et al.  Deep Reinforcement Fuzzing , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[18]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[19]  Rishabh Singh,et al.  Learn&Fuzz: Machine learning for input fuzzing , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[20]  Rishabh Singh,et al.  Not all bytes are equal: Neural byte sieve for fuzzing , 2017, ArXiv.

[21]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2017, IEEE Trans. Software Eng..

[22]  Hao Chen,et al.  Angora: Efficient Fuzzing by Principled Search , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[23]  Mathias Payer,et al.  T-Fuzz: Fuzzing by Program Transformation , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[24]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[25]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[26]  Guofei Gu,et al.  TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[27]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[28]  Chao Zhang,et al.  CollAFL: Path Sensitive Fuzzing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[29]  Andreas Zeller,et al.  Mining input grammars from dynamic taints , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[30]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[31]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[32]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[33]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[34]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[35]  Yang Liu,et al.  Steelix: program-state based binary fuzzing , 2017, ESEC/SIGSOFT FSE.

[36]  Martin C. Rinard,et al.  Taint-based directed whitebox fuzzing , 2009, 2009 IEEE 31st International Conference on Software Engineering.